Magento Security Patch Bundle - January 2016

All Magento websites have been patched for all clients on both Community and Enterprise versions of Magento.

January 20, 2016

Magento released a bundle of patches today for both the Community and Enterprise, Patch SUPEE-7405. Here are the security problems addressed in this patch:

Cross-site Scripting (XSS) - Stored

Severity = 9.3 (Critical)

Cross-site Scripting (XSS) - Stored

Severity = 9.3 (Critical)

Cross-site Scripting (XSS) - Stored

Severity = 7.5 (High)

Information Leakage

Severity = 7.5 (High)

Cross-site Request Forgery (CSRF)

Severity = 7.4 (High)

Insufficient Protection

Severity = 6.5 (Medium)

Cross-site Request Forgery (CSRF)

Severity = 6.1 (Medium)

Insufficient Data Protection

Severity = 5.4 (Medium)

Denial of Service

Severity = 5.3 (Medium)

Brute Force (Generic) / Insufficient Anti-automation

Severity = 5.3 (Medium)

Information Disclosure (Internal)

Severity = 5.3 (Medium)

Cross-site Scripting (XSS) - Stored

Severity = 4.3 (Medium)

Cross-site Scripting (XSS) - Stored

Severity = 3.8 (Low)

Cross-site Scripting (XSS) - Reflected

Severity = 0.0 (Low)

Improper Input Handling

Severity = 0.0 (None)

We realize the above is cryptic and understanding each vulnerability would be very difficult. However, the above does illustrate the number of security-related vulnerabilities and the criticality of each. If you are interested in learning more about these vulnerabilities, please visit Magento's website:

Modern Retail is testing this patch now and will be rolling it out to your website as soon as possible. We'll be posting additional information about patch here so please check back for the latest updates.

Please submit a Support Request if you have any questions about this patch. Thank you.